0

In your opinion, which is the best approach to collect the event logs remotely from several Windows machines in a network?

I need to collect the log events remotely and I have several approach (WMI, EventLog class, etc.) but I don't know what is the best way.

Can you help me?

Thanks

J19
  • 667
  • 2
  • 10
  • 27

2 Answers2

0

EDIT: Are you programming the remote event log access into an app? Maybe you can elaborate on that. If so, what language are you programming in, etc.

Check out OSSEC, perhaps in concert with Logstash and ElasticSearch.

Or you could look at Wevutil, pull event log data to a management workstation then push it into a database.

There's also PsLogList from the sysinternals guys, which you could also use to pull the event log data, then push it into a database.

Craig Tullis
  • 9,939
  • 2
  • 21
  • 21
  • As I Know, OSSEC implies to intall OSSEC agents on each computer. Now I'm using the EventLog class that comes with .NET but, it could be a better approach to get these event logs. How about WMI? Any experience? – J19 Apr 14 '14 at 09:52
0

In my opinion the best way to do so would be configure redis, rabbitMQ or ZeroMQ (well supported plugins) and send all your logs to a queue server from where your logstash indexer will pickup all the logs and processes it.

In this way all your logs will be on central server, which you can persist as well with messaging systems I mentioned above. All your existing system will be same and do not required additional package except a simple client to push to the messaging queue.

http://logstash.net/docs/1.4.0/

Ananda
  • 1,572
  • 7
  • 27
  • 54
  • hmmm, interesting then you might look for some windows alternative to rsyslog which wllows applications to send logs to a rsyslogd server. Also it would be good if you provide us with some more details of your logging mechanism so we can see if client-less mode can be implemented. – Ananda Apr 14 '14 at 10:46